Citizen Lab’s security researchers recently discovered an NSO Pegasus zero-click attack against a human rights activist that managed to bypass Apple’s Blastdoor protections.
NSO Targeted A Bahraini Human Rights Activist
A Bahraini human rights activist’s iPhone 12 Pro was silently hacked earlier this year. According to Citizen Lab researchers, the powerful spyware used in the attack defeated new security protections that Apple designed to withstand hidden threats.
The activist remained in Bahrain and asked not to be named. They are a member of the Bahrain Center for Human Rights, an award-winning nonprofit organization that promotes human rights in the Gulf state. The group continues to operate despite being banned by the kingdom in 2004 when its director was arrested for criticizing the country’s then-prime minister.
The Zero-Click Attack Doesn’t Need Human Interaction
Internet watchdog based at the University of Toronto, Citizen Lab, examined the activist’s iPhone 12 Pro and discovered proof that it was hacked starting in February, using a “zero-click” strategy. This type of attack doesn’t require any user interaction to infect a victim’s device.
“We observed a massive global spike in Pegasus activity in July 2020, and began conducting research in a number of country contexts, including Bahrain. We hunted for Pegasus in Bahrain by instructing targets to forward us their phone logs for analysis, and by setting up VPNs for key targets to monitor their Internet traffic,” Citizen Lab explained.
The zero-click attack exploited a previously unknown security vulnerability in Apple’s iMessage. The hackers pushed Pegasus spyware, developed by the Israeli firm NSO Group, to the activist’s iPhone.
Researchers Called The New Exploit ForcedEntry
The attack raises concerns, not only because Citizen Lab found evidence that the zero-click attack successfully defied Apple’s solid defenses in both iOS 14.4 and 14.6, which were released in May. But the hackers also managed to find a way around a new software security feature built into all versions of iOS 14, called BlastDoor, which is supposed to prevent hacking by filtering malicious data sent over iMessage.
“Starting in February 2021, we began to observe NSO Group deploying a new zero-click iMessage exploit that circumvented Apple’s BlastDoor feature. We refer to the exploit as FORCEDENTRY, because of its ability to circumvent BlastDoor. Amnesty Tech also observed zero-click iMessage exploitation activity around the same time, and referred to the activity they observed as “Megalodon.” We confirmed with Amnesty Tech that the “Megalodon” activity they observed matches the characteristics of the FORCEDENTRY exploit that we observed,” Citizen Lab stated.
Due to its ability to circumvent BlastDoor, Citizen Lab researchers called the latest exploit ForcedEntry.
“When the FORCEDENTRY exploit was being fired at a device, the device logs showed crashes associated with IMTranscoderAgent. The crashes appeared to be segfaults generated by invoking the copyGifFromPath:toDestinationPath:error function on files received via iMessage.“
“The crashes appeared to be of two types. Type one crashes indicate that the chain of events set off by invoking copyGifFromPath:toDestinationPath:error ultimately crashed while apparently invoking ImageIO’s functionality for rendering Adobe Photoshop PSD data,” Citizen Lab added.
Not The First Zero-Click Pegasus Attack
A previous attack was launched against human rights activists, lawyers, and journalists. Following the malicious campaign, Apple released a security update in iOS 14.7.1, which was believed to patch the vulnerability exploited. However, Citizen Lab notes that this attack method is a different one.
Apple did not make any comment on whether the iOS 14.7.1 protects users against the new Pegasus attack but simply restated what it said last time instead: that the risk is low for most customers. However, cybersecurity experts argue that Apple needs to improve its security.